> From: Haya Shulman <haya.shul...@gmail.com> > We (me and my phd advisor Prof Amir Herzberg) recently found a number of > new DNS vulnerabilities, which apply to patched and standard DNS resolvers, > ...
> Recommendations: > ... The complete absense of any mention of DNSSEC among those recommendations (or elsewhere) reads like an implicit claim that DNSSEC would not help. Even if that claim was not intended, would it be accurate? Would DNSSEC make any of recommendations less necessary or perhaps even moot? If DNSSEC by itself would be effective against cache poisoning, then isn't it among the recommendations, especially for "Resolver-behind-Upstream"? Why aren't efforts to protect port randomization, hide hidden servers and so forth like trying to make it safe to use .rhosts and /etc/hosts.equiv files by filtering ICMP dedirects and IP source routing, and strengthening TCP initial sequence numbers? It's not that filtering ICMP redirects, etc. are wrong, but I think today those things are used for availability instead of data integrity (or authentication and authorization), and small leaks are not always and everywhere seen as catastrophes. In fact, haven't ICMP redirects been reborn as fundamental parts of IPv6? Vernon Schryver v...@rhyolite.com _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
